So straight to the problem, the relaxed user comes back off holiday and typically has forgotten their password. They cannot logon to there hybrid laptop and due to the lack of an always-on-VPN will now need to drive into the office so they can connect to the network and cache a new password which has been set from them.
The user could logon locally with an emergency account and a unique password, An analyst could then assist them with the built in Windows 10 Quick Assist application and enable the required VPN in a different session. This is not a very elegant solution and would need a way to centrally manage that password and audit it's use.
I'm sure someone else has come across this especially now we have more home workers, ideas here please, anything greatly appreciated.
An additional thought, perhaps a Cisco AnyConnect VPN Management Tunnel on the ASA might give the PC access to the DC pre-logon so if the password was reset in AD then the users PC would cache that and permit them to logon, just a thought.